In several web applications, there is a need to keep the user signed in for a prolonged durations (days, weeks, sometimes months). I created a sample web application which implements this feature. You are welcome to use it.
This application is built only using Java Servlet Technologies, so it can be easily customized (or used “as is”) with any java web framework like Struts, Spring MVC, JSF, … This implementation is server aganositic. It can run on any JEE Server.
Entire magic is done through cookies. Here are the High level steps:
1. User signs in with “Keep me signed In” option.
2. A cookie is created on the User’s browser. This Cookie contains username and random number in the format: “-“. For security reasons, content of the cookie is encrypted using AES 128 algorithm.
3. From this point whenever user goes to the website, browser submits the cookie that was created in step #2 to the server. From this cookie web application can identify the user and let him use the system.
4. Whenever user comes back to the site, if he is authenticated using cookie a new cookie is created and stored in his machine, so that cookie expiration time is also moved out.
WARNING: If user needs to spend money or change the password or update his contact information (such as email address, residence address) or any such critical functionality, he should be asked to login again with his username/password credentials. It’s possible for cookies to get stolen and it can’t be trusted to do such sensistive operations without proper authentication.
Details on the Sample Implementation
Application was tested on Java 7/Tomcat 7 platform. It uses nothing specific to Tomcat, so it should work on any other JEE servers as well.
Application contains two servlets:
1. “/login” –> com.rememberme.LoginServlet
2. “/logout” –> com.rememberme.LogoutServlet
LoginServlet is called when user signs in to the system. If user has selected “Stay Signed In” option, then cookie is created. Please refer to com.rememberme.CookieUtil#createRememberMeCookie(User, HttpServletResponse) method. It shows how to create a cookie. It’s as simple as this:
Cookie cookie = new Cookie(CookieUtil.REMEMBER_ME_COOKIE, userHashId);
When user signs out, LogoutServlet is invoked. This Servlet removes the cookie from the browser. Refer to com.rememberme.LogoutServlet#doGet() method. It has code to remove the cookie, which is as simple as:
Cookie cookie = new Cookie(CookieUtil.REMEMBER_ME_COOKIE, “”);
index.jsp is the page which presents UserName/Password Login Form. If Cookie is already present then Login Form will not show, just a welcome message will be displayed.
1. Currently I have kept cookie name to generic: “remembermeUserName”. Please change it to some thing specific to your application. Also make sure to keep the cookie name to be cryptic, something like: “amfdikeiis”. Cookie name is defined in com.rememberme.CookieUtil#COOKIE_NAME
2. I have set the cookie expiration time to be 14 days. Please change the expiration time period that is suitable to your application. This property is defined in com.rememberme.CookieUtil#COOKIE_EXPIRY_PERIOD
3. The secret key which is used to encrypt/decrypt the cookie contents is defined in the property: com.rememberme.CookieUtil#HASH_KEY. It’s length has to be 16 characters. Make sure your HASH_KEY’s length is also 16.
Sample Application can be downloaded from here.
1. Download and install Java 7/Tomcat 7. Note: You can use any other Java/JEE Server. However if you want to do so, please make sure to compile the code.
2. Copy the downloaded WAR (Web Archive) in to /webapps folder
3. Start the Tomcat Server
4. In the web browser goto http://localhost:8080/rememberme (assuming your tomcat is listening on port 8080).